Here is my query. In final line chart when I hover, I am not getting different dates. Rather only 26th Sept (Today's date). (I want to have today, last week same day, 2 weeks back same day & 3 week back same day in the same visualization)
index=xyz sourctype=abc earliest = -60m@m latest = @m
|eval ReportKey="Today"
|append
[search index=index=xyz sourctype=abc earliest = -60m@m-1w latest = @m-1w
|eval ReportKey="LastWeek" | eval _time=_time+60*60*24*7]
|append
[search index=index=xyz sourctype=abc earliest = -60m@m-2w latest = @m-2w
|eval ReportKey="TwoWeeksBefore" | eval _time=_time+60*60*24*14]
|append [search index=index=xyz sourctype=abc earliest = -60m@m-3w latest = @m-3w
|eval ReportKey="ThreeWeeksBefore" | eval _time=_time+60*60*24*21]
|timechart span = 1m count(index) as Volume by Reportkey
Only today's date is being shown because _time is adjusted to the current date in each subsearch. You can avoid showing the date and show only the time using fieldformat.
index=xyz sourctype=abc earliest = -60m@m latest = @m
|eval ReportKey="Today"
|append
[search index=index=xyz sourctype=abc earliest = -60m@m-1w latest = @m-1w
|eval ReportKey="LastWeek" | eval _time=relative_time(_time, "+1w")]
|append
[search index=index=xyz sourctype=abc earliest = -60m@m-2w latest = @m-2w
|eval ReportKey="TwoWeeksBefore" | eval _time=relative_time(_time, "+2w")]
|append [search index=index=xyz sourctype=abc earliest = -60m@m-3w latest = @m-3w
|eval ReportKey="ThreeWeeksBefore" | eval _time=relative_time(_time, "+3w")]
|timechart span = 1m count(index) as Volume by Reportkey
|fieldformat _time=strftime(_time, "%H:%M:%S")
THough i see the statistics with only hrs:min:sec in _time and 04 columns(Lastweek, threeWeeksbefore, Today and Twoweekbefore) but I can't see Line chart as visualization now. 😞
I wanted a line chart with _time in x axis and rest all in y axis
As we have strategically removed the day - Any visualization with _time is x axis is no longer showing
@richgalloway : What should be the next step to see visualization. As with only hrs, min and sec there is no graph/chart possible
You have a choice to make. If you wish to see a visualization then the full timestamp must be present and you will see today's date. If you do not wish to see today's date then it can be removed, but then you will not see a visualization.
Can i remove the date part from XML in visualization. (I want to have visualization as well as don't want to see the date while i hover on it)
I want to see the value while I hover but not the date
The reason you're only getting Sept 26th is because you're rewriting the timestamp in each appended search and setting them to today's date. The timewrap function is what you need. Try this :
index=xyz sourctype=abc earliest = -60m@m latest = @m
|append [search index=index=xyz sourctype=abc earliest=-60m@m-1w latest=@m-1w]
|append [search index=index=xyz sourctype=abc earliest=-60m@m-2w latest=@m-2w]
|append [search index=index=xyz sourctype=abc earliest=-60m@m-3w latest=@m-3w]
|timechart span = 1m count(index) as Volume
|timewrap w
This is still giving the same _time with today's date and time in stats. 🙂
You said your end goal was "I want to have today, last week same day, 2 weeks back same day & 3 week back same day in the same visualization"
Is it necessary to have _time accurate ? The search I provided automatically tags them as latest_week, 1week_before, 2weeks_before and 3weeks_before.
If you want _time accurate, then you can remove the timewrap command and you'll get them all on the one graph, but its not gonna be that useful since you're looking at 1 hour per week which means 167 hours are empty.